Try it
See a demo
sf-6 2

SecureFact – Cyber Security News – Week of May 12, 2025

PowerSchool hacker now extorting individual school districts: 

  • PowerSchool is warning that the hacker responsible for its December 2024 cyberattack is now individually extorting multiple school districts, threatening to release stolen student and teacher data unless ransom demands are met.
  • The data, originally stolen through compromised credentials and unauthorized access to PowerSchool’s customer support portal, includes sensitive information such as full names, addresses, phone numbers, Social Security numbers, medical data, and grades of over 62 million students and 9.5 million teachers across 6,505 districts in the U.S., Canada, and other countries.
  • Although PowerSchool paid a ransom shortly after discovering the breach to prevent data exposure, the threat actor did not delete the stolen data as promised and is now targeting districts like those in North Carolina and the Toronto District School Board with separate extortion attempts.
  • PowerSchool has involved law enforcement in both the U.S. and Canada, continues to support affected customers, and recommends affected individuals use the offered two years of free credit monitoring and identity protection services. This incident highlights the risks of paying ransoms, as attackers often fail to honor data deletion promises, leading to repeated extortion attempts. 

*Source 

VC giant Insight Partners confirms investor data stolen in breach: 

  • Insight Partners, a major global venture capital and private equity firm managing over $90 billion in assets, confirmed a data breach in January 2025 resulting from a sophisticated social engineering attack.
  • The breach, detected on January 16, involved unauthorized access to certain IT systems and led to the theft of sensitive data related to employees, limited partners (investors), and portfolio companies.
  • Exposed information includes fund details, management company data, portfolio company information, banking and tax records, and personal data of current and former employees. The firm quickly contained the incident within a day, with no disruption to business operations, and engaged cybersecurity experts to investigate.
  • Insight Partners is notifying affected individuals in phases and recommends they change passwords, enable two-factor authentication, monitor financial statements, and consider fraud alerts or credit freezes. No ransomware group has claimed responsibility, and the investigation into the full scope continues. 

*Source 

 Education giant Pearson hit by cyberattack exposing customer data:

  • Education giant Pearson suffered a significant cyberattack beginning in January 2025, initiated through an exposed GitLab Personal Access Token (PAT) found in a publicly accessible .git/config file.
  • This vulnerability allowed attackers to access Pearson’s source code, which contained hard-coded credentials for cloud platforms like AWS, Google Cloud, Snowflake, and Salesforce CRM. Over several months, threat actors used these credentials to steal terabytes of data, including customer information, financial records, support tickets, and proprietary source code, potentially impacting millions of people worldwide.
  • Pearson confirmed the breach involved mostly “legacy data” and stated employee information was not affected. The company responded by halting unauthorized access, engaging forensic experts, cooperating with law enforcement, and enhancing security monitoring and authentication measures.
  • However, Pearson has not disclosed the exact number of affected customers, details about ransom demands, or specific notifications to impacted parties. This incident highlights the critical risks posed by exposed developer credentials and the importance of securing Git configuration files to prevent cloud infrastructure breaches. 

*Source 

Ascension says recent data breach affects over 430,000 patients: 

  • Ascension, a major U.S. healthcare system, disclosed a data breach affecting over 430,000 patients, resulting from a December 2024 data theft attack on a former business partner.
  • The exposed information includes personal details such as names, addresses, phone numbers, emails, dates of birth, race, gender, and Social Security numbers, along with sensitive health data like physician names, admission and discharge dates, diagnosis and billing codes, medical record numbers, and insurance company names.
  • The breach was linked to a vulnerability in third-party software used by the partner, likely connected to Clop ransomware attacks exploiting a zero-day flaw in Cleo secure file transfer software. Ascension is offering two years of free identity monitoring, credit monitoring, fraud consultation, and identity theft restoration services to affected individuals.
  • The healthcare provider has also reviewed its processes and is implementing enhanced security measures to prevent future incidents. 

*Source 

CoGUI phishing platform sent 580 million emails to steal credentials: 

  • The CoGUI phishing kit sent over 580 million phishing emails between January and April 2025, primarily targeting Japanese users but also affecting smaller campaigns in the U.S., Canada, Australia, and New Zealand.
  • These emails impersonate major brands like Amazon, Rakuten, PayPal, Apple, tax agencies, and banks, aiming to steal usernames, passwords, and payment information. CoGUI employs advanced evasion techniques such as geofencing, browser fingerprinting, and device profiling to selectively deliver phishing pages only to targeted victims, redirecting others to legitimate websites to avoid detection.
  • The phishing pages mimic real login forms to trick users into submitting sensitive credentials. CoGUI is linked to Chinese-speaking threat actors and is considered the highest volume phishing campaign currently tracked by Proofpoint. The kit also supported smishing campaigns in the U.S. before those shifted to a related kit called Darcula.
  • Mitigation involves educating users to avoid clicking suspicious links, verifying requests via official sites, and implementing strong multi-factor authentication, preferably with physical security tokens to counteract phishing risks. 

*Source